Deeper Connections between LTL and Alternating Automata - FI MUNI

}

FI MU

w A| y < 5 4 23 1 0 / -. , )+ ( %&' $ # !"

Æ

Faculty of Informatics Masaryk University Brno

Deeper Connections between LTL and Alternating Automata by

Radek Pelánek Jan Strejˇcek

FI MU Report Series

Copyright c 2004, FI MU

FIMU-RS-2004-08 September 2004

Copyright c 2004, Faculty of Informatics, Masaryk University. All rights reserved. Reproduction of all or part of this work is permitted for educational or research use on condition that this copyright notice is included in any copy.

Publications in the FI MU Report Series are in general accessible via WWW: http://www.fi.muni.cz/veda/reports/

Further information can obtained by contacting: Faculty of Informatics Masaryk University Botanická 68a 602 00 Brno Czech Republic

Deeper Connections between LTL and Alternating Automata Radek Pelánek and Jan Strejˇcek Faculty of Informatics, Masaryk University Botanická 68a, 602 00 Brno, Czech Republic

{xpelanek,strejcek}@fi.muni.cz September 7, 2004

Abstract It is known that Linear Temporal Logic (LTL) has the same expressive power as alternating 1-weak automata (A1W automata, also called alternating linear automata or very weak alternating automata). A translation of LTL formulae into a language equivalent A1W automata has been introduced in [MSS88]. The inverse translation has been developed independently in [Roh97] and [LT00]. We improve the latter translation and present deeper connections between LTL and A1W automata. Using these translations we identify the classes of A1W automata equivalent to LTL fragments given by bounds on nesting depths of temporal operators ˇ (see, e.g., [Wil99, KS02]) and the fragments of Until-Release hierarchy [CP03].

1 Introduction An automata-theoretic approach to the study of temporal logics proved to be very fruitful. The best example is the well known fact that each formula of Linear Temporal Logic (LTL) [Pnu77] can be transformed into nondeterministic Büchi automaton that accepts exactly the infinite words satisfying the formula [WVS83, VW94]. This transformation is one of the cornerstones of the automata-based model checking of LTL properties [VW86]. It is also known that there are Büchi automata accepting languages that are not definable by any LTL formula [Wol83]. Supported by

the Grant Agency of Czech Republic, grant No. 201/03/1161.

1

Later on, alternating 1-weak Büchi automata (or A1W automata for short, also known as alternating linear automata or very weak alternating automata) have been identified as the type of automata with the same expressive power as LTL. Muller, Saoudi, and Schupp [MSS88] introduced a translation of LTL formula into equivalent A1W automata. This translation produces A1W automata with number of states linear in the lentgh of input formula contrary to the mentioned translation into Büchi automata where the number of states is exponential. The translation of LTL into A1W automata has been recently used to built new and more efficient algorithms for translation of LTL into nondeterministic Büchi automata [GO01, Tau03]1 . The translation of A1W automata into equivalent LTL formula has been presented independently by Rohde [Roh97] and Löding and Thomas [LT00]. Hence, the two formalisms are equivalent. Soon after introduction of LTL, the study of fragments of the logic started. It is often connected with searching for more efficient verification algorithm working with a fragment of LTL. In [Lam83] Lamport argue that for reasoning about concurrent system we should use the fragment of LTL without next operator rather than complete LTL. Many reduction methods improving the verification algorithms have been designed for the next-free fragment so far (see, for example, [Val91, God96, HP95, Pel98]). Besides fragments given by restricted set of temporal operators, the fragments given by bounds on nesting depths of temporal operators or alternation of temporal operators are studied as well (for more details see the surveys [Wil99, DS98, Sch03] or some recent papers ˇ like [KS02, CP03, TW04]). In the light of research on LTL fragments, it is natural to ask for classes of A1W automata with the same expressive power as the studied LTL fragments. It turns out that the translation of A1W automata into LTL mentioned above is not appropriate for study of such automata classes as it wastes temporal operators. For example, the automaton corresponding to the formula

a U (b ^ (b U c)) is translated into formula

a U (b ^ X(b U c)). In our paper we present an improved translation of A1W automata

into equivalent LTL formulae. Our translation reduces the nesting depth of next operators and prefers the use of less expressive temporal operators (eventually or globally instead of until). We prove that for an A1W automaton produced by the standard translation of an LTL formula 1

' our translation provides a formula with the same (or even

In fact, the paper [GO01] employs alternating 1-weak co-Büchi automata. However, Büchi and co-

Büchi acceptance conditions are expressively equivalent for alternating 1-weak automata.

2

less) nesting depths of until, next, and eventually operators comparing to these nesting

depths in '.

With use of this results we identify classes of A1W automata defining the same classes of languages as LTL fragments given by bounds on nesting depths of temporal operators. Further, with use of standard translations between LTL and A1W automata we identify the classes of A1W automata corresponding to the fragments of ˇ Until-Release hierarchy [CP03]. The paper is structured as follows. In Section 2 we recall the definition of LTL and some of its fragments, and the definition of alternating 1-weak automata. Section 3 presents the standard translation of A1W automata into LTL formulae [MSS88, Var97] and translation of LTL formulae into A1W automata [Roh97, LT00]. Section 4 provides an improved version of the latter translation, proof of its correctness, and basic observations about relation between nesting depths of temporal operators in a formula and properties of the corresponding automaton. In Section 5 we define classes of A1W automata corresponding to the mentioned LTL fragments. Section 6 sums up presented results and indicates several topics for future work.

2 Preliminaries The syntax of LTL is given by the abstract syntax equation

'

::=

> j a j :' j '1 ^ '2 j X' j F' j '1 U '2;

where a ranges over countable set

fa; b; c; : : :g of letters. We also use ? to abbreviate :>, G' to abbreviate :F:', and ' R to abbreviate :(:' U : ). The operators =

X; F; U; G; R are called next, eventually, until, globally, and release, respectively. Let us

note that F' can be equivalently defined as an abbreviation for > U '.

We define the semantics of LTL in terms of languages over infinite words. An al-

. An !-word over alphabet is an infinite sequence w = w(0)w(1)w(2) : : : 2 ! of letters from . For every i 2 N 0 , by wi we denote the suffix of w beginning with the letter w(i). The validity of an LTL formula ' for w 2 ! is defined as follows: phabet is a finite set

w j= > w j= a

iff

a = w(0) 3

w j= :' w j= '1 ^ '2 w j= X' w j= F' w j= '1 U '2

w 6j= ' iff w j= '1 ^ w j= '2 iff w1 j= ' iff 9i 2 N 0 : wi j= ' iff 9i 2 N 0 : wi j= '2 ^ 8 0 j < i : wj j= '1 For every alphabet , an LTL formula ' defines the language L (') = fw 2 ! j w j= 'g. Let us (inductively) define the nesting depths of the X; F and the U modalities in a given LTL formula '. X-depth(>) = 0 X-depth(a) = 0 X-depth(:') = X-depth(') X-depth('1 ^ '2 ) = maxfX-depth('1 ); X-depth('2 )g X-depth(X') = X-depth(') + 1 X-depth(F') = X-depth(') X-depth('1 U '2 ) = maxfX-depth('1 ); X-depth('2 )g F-depth(>) = 0 F-depth(a) = 0 F-depth(:') = F-depth(') F-depth('1 ^ '2 ) = maxfF-depth('1 ); F-depth('2 )g F-depth(X') = F-depth(') F-depth(F') = F-depth(') + 1 F-depth('1 U '2 ) = maxfF-depth('1 ); F-depth('2 )g U-depth(>) = 0 U-depth(a) = 0 U-depth(:') = U-depth(') U-depth('1 ^ '2 ) = maxfU-depth('1 ); U-depth('2 )g U-depth(X') = U-depth(') U-depth(F') = U-depth(') U-depth('1 U '2 ) = maxfU-depth('1 ); U-depth('2 )g + 1 iff

Now we define a notation of LTL fragments given by bounds on nesting depths of

[ f1g, by LTL(Um; Xn; Fk) we denote the set f' 2 LTL j U-depth(') m and X-depth(') n and F-depth(') kg:

temporal operators. For all m; n; k 2 N 0

4

We omit upper indices equal to

1 from LTL Um; Xn; Fk . Moreover, we usually omit (

)

the whole operator if its index is 0. For example, by LTL(Xn ; F) we mean the fragment

LTL(U0 ; Xn ; F1 ).

Alternating automata are generalizations of nondeterministic ones. Transition function of an alternating automaton combines the nondeterministic and universal mode. More formally, transition function assigns to each state and letter a positive boolean formula over states. The set of positive boolean formulae over finite set of states Q (denoted

B (Q)) contains formulae > (true), ? (false), all elements of Q and boolean combinations over Q built with ^ and _. A subset S of Q is a model of ' 2 B (Q) iff the valuation assigning true just to states in S satisfies '. A set S is a minimal model of ' (denoted S j= ') iff S is a model of ' and no proper subset of S is a model of '. An alternating Büchi automaton is a tuple A = (; Q; q0 ; Æ; F), where is a finite input alphabet, Q is a finite set of states, q0 2 Q is an initial state, Æ : Q ! B (Q) is a transition function, and F Q is a set of accepting states. By A(p) we denote the automaton A with initial state p 2 Q instead of q0 . A run of an alternating automaton is a (potentially infinite) tree. A tree is a set T N such that if xc 2 T , where x 2 N and c 2 N , then also x 2 T and xc 0 2 T for all 0 c 0 < c. A Q-labeled tree is a pair (T; r) where T is a tree and r : T ! Q is a labeling function. A run of an automaton A = (; Q; q0; Æ; F) over !-word w 2 ! is a Q-labeled tree (T; r) with +

+

+

the following properties: 1.

r() = q0.

2. For each x 2 T the set S = fr(xc) j xc 2 T g satisfies S j= Æ(r(x); w(jxj)).

T; r) is accepting iff for every infinite path in T it holds that Inf () \ F 6= ;, where Inf () is a set of all labels (i.e. states) appearing infinitely often on . An automaton A accepts an !-word w 2 ! iff there exists an accepting run of A over w. A language of all !-words accepted by an automaton A is denoted by L(A). Let Succ(p) denotes the set Succ(p) = fq j 9a 2 ; S Q : S [ fqg j= Æ(p; a)g of all possible successors of p, and Succ 0 (p) = Succ(p) r fpg. An automaton is called 1-weak if there exists an ordering < on the set of states Q such that q 2 Succ0 (p) implies q < p. In A run

(

the following we use A1W automaton or simply automaton meaning "alternating 1-weak Büchi automaton".

An A1W automaton A = (; Q; q0 ; Æ; F) can be drawn as a graph; nodes are the states

of the automaton and every

S Q satisfying S j= Æ(p; a) (where p 2 Q and a 2 ) is 5

a a

p

q1 b

b c

q2 c

a b

q3

c

Figure 1: The automaton accepting the language a bfa; b; cgc! . depicted as a branching edge labelled with a and leading from node p to the nodes from

S. Edges that are not leading to any node correspond to the cases when S is an empty set. An initial state is indicated by a special unlabelled edge leading to the corresponding node. Nodes corresponding to the accepting states are double-circled. For example, the Figure 1 depicts an automaton accepting the language

a bfa; b; cgc!.

Instead of

S j= Æ(a; p) we write p !a S and say that an automaton has a transition leading from p to S under a. A state p of an automaton has a loop whenever p 2 Succ(p). 3 Standard translations between LTL and A1W automata In this section we recall the standard translation of LTL formulae to A1W automata [MSS88] and (a variant of) a translation of A1W automata to LTL presented recently in [LT00]. The translation of A1W automata to LTL has been independently introduced by Rohde in [Roh97]. In this section we treat every (sub)formula of the form F' as an abbreaviation for > U '.

3.1 LTL

!A1W translation

Let ' be an LTL formula and an alphabet. The formula can be translated into an automaton A satisfying L(A) = L ('), where A = (; Q; q' ; Æ; F) and

the states

Q = fq ; q: j

of ' and their negations,

is a subformula of 'g correspond to the subformulae

6

the transition function Æ is defined inductively in the following way:

Æ(q>; a) = > Æ(qa; b) = > if a = b; Æ(qa; b) = ? otherwise Æ(q: ; a) = Æ(q ; a) Æ(q ^ ; a) = Æ(q ; a) ^ Æ(q; a) Æ(qX ; a) = q Æ(q U ; a) = Æ(q ; a) _ (Æ(q ; a) ^ q U ) where denotes the positive boolean formula dual to defined by induction on the structure of as follows: >=? q: = q ^ = ^ ?=> q = q: _ = _

the set of accepting states F = fq:(

U)

j

U is a subformula of 'g.

A (') for the automaton given by the translation of an LTL formula ' with respect to an alphabet . The number of states of the automaton A (') is clearly linear in the length of '. For example, the translation applied on the formula ' = (a U b) ^ FGc and the alphabet = fa; b; cg produces the automaton depicted on Figure 1, where p; q1 ; q2 ; q3 stand for q' ; qaUb ; qFGc ; qGc , respectively. We use the notation

3.2 A1W

!LTL translation

Let A = (; Q; q0 ; Æ; F) be an A1W automaton. For each p 2 Q we define an LTL formula

'p such that L ('p) = L(A(p)) (in particular L('q0 ) = L(A)). The definition proceeds by induction respecting the ordering of states; the formula 'p employs formulae of the form 'q where q 2 Succ 0 (p). This is the point where the 1-weakness of the automaton is used. To illustrate the inductive step of the translation, let us consider the situation depicted on Figure 2. The formula corresponding to state

X'r ).

p is 'p = (a ^ X'q ) U (b ^

Before we give a formal definition of 'p , we introduce some auxiliary formulae. Let

a 2 be a letter and S Q be a set of states. The formula (a; S) = a ^ 7

^

q2S

X'q

p

a

b

q

r

...

...

Figure 2: Part of an automaton translated into the formula 'p

a ^ X'q ) U (b ^ X'r).

=(

intuitively corresponds to a situation when automaton makes transition under

the set of states S. Formulae p and p defined as

p =

_

p!S p2S a

(a; S r fpg)

p =

_ p!S p 62 S a

a into

(a; S)

intuitively correspond to all transitions leading from state p; p covers transitions with a loop (i.e., the transitions leading to a set of states containing p) while p cover the others. The definition of 'p then depends on whether p is an accepting state or not.

'p =

8< p U p : p U p (

if p 62 F )

_ G p

if p 2 F

The proof of the correctness of this translation can be found in [LT00]. Given an A1W automaton A with an initial state q0 , by '(A) we denote the formula '(A) = 'q0 .

4 Improved translation The A1W

!LTL translation presented in the previous section wastes temporal opera-

tors. The main problem of the translation is that for each successor

q2

Succ0 (p) of

a state p the formula 'p contains a subformula X'q even if the X operator is not needed.

This can be illustrated by an automaton A on Figure 3.

The automaton is an automaton for a formula a U (b ^ (b U c)). The A1W

!LTL trans-

lation provides an equivalent formula '(A) = a U (b ^ X(b U c)) in spite of it. Let p

!a S be a transition and X S. We now formulate conditions that are sufficient

to omit the X operator in front of 'q (for every q 2 X) in a subformula of 'p corresponding to the transition p

!a S. A set X satisfying these conditions is called X-free. 8

a

p b q c

b

Figure 3: An automaton for the formula a U (b ^ (b U c)). Definition 4.1. Let p X-free for p

!a S be a transition of an automaton A. A set X S r fpg is said to be

!a S if following conditions hold.

1. For each q 2 X there is Sq0

S such that q !a Sq0 .

X and for each q 2 Y let Sq0 Q be a set satisfying q !a Sq0 and q 62 Sq0 . Then S a there exists a set S 00 (S r Y ) [ q2Y Sq0 satisfying p ! S 00 .

2. Let Y

Figure 4 illustrates the conditions for X-freeness. Please note that it can be the case

that p 2 S. Further, in the first condition it can be the case that q 2 Sq0 .

It is easy to see that empty set is X-free for every transition. Further, every subset of a X-free set for a transition is a X-free set for the transition as well. On the other hand, Figure 5 demonstrates that the union of two X-free sets need not be X-free; in the automaton indicated on the figure, the sets fq1 g; fq2 g are X-free for p set fq1 ; q2 g is not.

!a fq1; q2g while the

Let Xfree be an arbitrary but fixed function assigning to each transition a set that is X-free for

p

!a S

p !a S. We now introduce an improved A1W!LTL translation.

Roughly speaking, the translation omits the X operators in front of subformulae which correspond to the states in X-free sets given by the function Xfree. Thereafter we prove that this translation remains correct.

!LTL translation exhibits similar structure as the original one.

The improved A1W

(a; S) representing a transition under a leading from an arbitrary state p to S, we define a specialized formula p0 (a; S) for each transition p !a S. ^ ^ 'q0 p0 (a; S) = a ^ X'q0 ^ Instead of formulae of the form

a q 2 S r Xfree(p ! S) q 6= p

9

a q 2 Xfree(p! S)

p

a

1.

q

S

S Sq0 1

=)

X

S

p

a

2.

a

q1 q2 a

...

a Sq0 2

p

a

qn Y ...

a

=)

S

Sq0 n

q a Sq0 p

a

q1 q2

Sq0 1

...

qn Y

S 00 Sq0 2

Sq0 n

Figure 4: The conditions for X-freeness.

a p a a q1 a

q2 a

q3

q4

...

...

Figure 5: The sets fq1 g; fq2 g are X-free for p

10

!a fq1; q2g while the set fq1; q2g is not.

p0 =

_ a p! S p2S

p0 (a; S)

In the following definition of a formula

p0 =

_ a p! S p 62 S

p0 (a; S)

'p0 we identify some cases when U can be re-

placed by “weaker” operators F or G. To this end we define two special types of states.

p !a fpg for every a 2 . A state p is of a the G-type if every transition of the form p ! S satisfies p 2 S.

A state p is of the F-type if there is a transition

8> >> p >> ? >> >> F p < >> p U p >> > >> >> Gp >: p U p 0

if p 62 Succ(p) if p 2 Succ(p);

p 62 F; p is of G-type 0 if p 2 Succ(p); p 62 F; p is of F-type and not of G-type 0 0 'p0 = if p 2 Succ(p); p 62 F; p is neither of F-type nor of G-type if p 2 Succ(p); p 2 F; p is of F-type 0 if p 2 Succ(p); p 2 F; p is of G-type and not of F-type 0 ( 0 ) _ Gp0 if p 2 Succ(p); p 2 F; p is neither of F-type nor of G-type The new cases in the definition of 'p0 make only a cosmetic change comparing to the

!LTL translation. First, we add a case for states without any loop. This

original A1W

change does not influence the correctness of the translation as the condition p 62 Succ(p)

says that p0

? and therefore 'p0 = p is equivalent to p0 U p0 as well as to (p0 U p0 ) _ Gp0 . Further, it is easy to check that if a state p is of F-type then p0 () > and if p is of G-type then p0 = ?. Hence, all cases for p 2 Succ(p) and p 62 F are equivalent to p0 U p0 and all cases for p 2 Succ(p) and p 2 F are equivalent to (p0 U p0 ) _ Gp0 . =

Before we show that the improved translation is equivalent to the original one (and thus also correct), we prove two auxiliary lemmata.

!a S be a transition of an A1W automaton A. then the implication a; S r fpg =) p a; S holds.

Lemma 4.2. Let

q 2 Succ 0(p)

p

(

)

0

(

If

'q

() 'q for each 0

)

(a; S r fpg) and p0 (a; S) and the assumption of the lemma, it is sufficient to show for each !-word w 2 ! that a if q 2 Xfree(p ! S) and w j= (a; S r fpg) then w j= 'q . a The first condition for X-freeness gives us that there is Sq0 S such that q ! Sq0 . From the 1-weakness of the automaton we have that p 62 Sq0 . Thus, Sq0 S r fpg and w j= (a; S r fpg) implies w j= (a; Sq0 r fqg). As w j= (a; Sq0 r fqg) and q !a Sq0 we have that Proof. Due to the definitions of

11

either q 2 Sq0 and then w j= q , or q 62 Sq0 and then w j= q . Anyway, w j= q _ q holds. At the same time w j= (a; S r fpg) implies w j= X'q . We are done as w j= q _ q and

w j= X'q imply w j= 'q.

!a S be a transition of an A1W automaton A such that for each q 2 Succ p the equivalence 'q () 'q holds. Then p a; S =) p _ p . Moreover, if p 62 S then p a; S =) p. Lemma 4.3. Let p

0

0

0

(

0

(

( )

)

)

w 2 ! is an !-word such that w j= p0 (a; S). assumption of the lemma the formula p0 (a; S) is equivalent to

Proof. Let us suppose that

a^

^

q 2 S r Xfree(p ! S) q 6= p a

X'q

^

^

q 2 Xfree(p!S) a

Due to the

'q :

'q =) q _ X'q . Let Y = fq 2 Xfree(p !a S) j w j= qg. For each q 2 Y , the definition of the formula q and the assumption w j= a (due to w j= p0 (a; S)) imply a that there exists a set Sq0 such that q ! Sq0 , q 62 Sq0 , and w j= (a; Sq0 ). The second S condition for X-freeness gives us that there exists a set S00 (S r Y ) [ q2Y Sq0 satisfying p !a S 00. As w j= X'q for every q 2 S r Y and w j= (a; Sq0 ) for each q 2 Y , we get a that w j= (a; S 00 r fpg) as well. To sum up, we have a set S 00 such that p ! S 00 and w j= (a; S 00 r fpg). If p 2 S 00 then w j= p. Moreover, 1-weakness of the automaton implies that p 62 Sq0 and therefore p 2 S. Finally, if p 62 S 00 then w j= p . Obviously

We are now ready to prove the correctness of the improved translation.

A = (; Q; q0; Æ; F) be an A1W automaton. equation L(A(p)) = L ('p0 ) holds.

Theorem 4.4. Let

Proof. It is sufficient to show that 'p

For every state

p 2 Q the

() 'p holds for every p 2 Q. The proof proceeds 0

by induction with respect to the ordering on Q. If Succ 0 (p) =

; then an empty set is the only X-free set for any transition leading from p. Hence 'p and 'p0 are equivalent. Let us now assume that the equivalence holds for every q 2 Succ 0 (p). The Lemma 4.2 implies 'p =) 'p0 . Lemma 4.3 gives us that p0 implies p , and p0 implies p _ p . As an immediate consequence we get 'p0 =) 'p .

A be an A1W automaton and q0 its initial state. By 'Xfree (A) we denote the formula 'q0 0 given by the improved translation using the function Xfree. Let

12

After it has been proven that the improved translation remains correct, it is only natural to examine the “quality” of formulae it produces. The improved translation has been motivated by the observation that the standard one wastes X operators. Therefore,

we show that the improved translation allows to translate an automaton A (') derived from a formula

' 2 LTL(Um; Xn) back into a formula from LTL(Um; Xn).2

In order to

do so, we define two metrics for A1W automata, namely loop-height and X-height, and

A with loop-height m and X-height n can be translated into a formula form LTL(Um ; Xn ). Then we prove that an automaton A (') given by the standard LTL!A1W translation of a formula ' 2 LTL(Um ; Xn ) has loop-hieght and X-height at most m and n, respectively. show that an automaton

; Q; q0; Æ; F) be an A1W automaton. For each state p 2 Q we inductively define its loop-height and X-height (denoted by lh(p) and Xh(p) respectively) as

Definition 4.5. Let

A

lh(p) =

= (

8< maxflh q : maxflh q

Xh(p) = max a p!S

( )

j q 2 Succ 0(p)g + 1

if p 2 Succ(p);

( )

j q 2 Succ 0(p)g

otherwise;

f

min fneedX(p a X is X-free for p! S

!a S; X g g; )

where maximum over empty set is 0 and needX(p

!a S; X

)=

max(fXh(q) j q 2 Xg

[ fXh(q) + 1 j q 2 S r X; q 6= pg):

We also define loop-height and X-height of the automaton A as the loop-height and X-height of its initial state, i.e., lh(A) = lh(q0 ) and Xh(A) = Xh(q0 ). Intuitively, loop-height of an automaton

A holds the maximal height of states of A

with a loop. The X-height counts the minimal nesting depth of X operators achievable by the improved translation; the definition consider the minimum over all choices of X-free sets. Theorem 4.6. Let

A

be an A1W automaton.

'Xfree (A) 2 LTL(Ulh A ; XXh A ). (

)

(

There exists a function Xfree such that

)

Proof. Please note that U-depth('Xfree (A)) does not depend on the choice of the function Xfree. Contrary to the U-depth, the X-depth of the resulting formula depends on the function Xfree. The function Xfree satisfying X-depth('Xfree (A)) = Xh(A) can be derived 2

In the rest of this section, F

is seen as an abbreviation for > U .

13

p !a S we set Xfree(p !a S) = X, where X is a X-free set for p !a S such that the value of needX(p !a S; X) is minimal. It is a straightforward observation that this function satisfies 'Xfree (A) 2 LTL(Ulh A ; XXh A ). We should note that the bound on U-depth('Xfree (A)) given by lh(A) is not tight. The structure of a formula 'p0 shows that there can be states with a loop that are translated into > or ? and thus they do not bring any new temporal operators. However, if we a remove these states and all transitions of the form p ! S such that S contains a state translated into ?, we get an automaton A 0 that is language equivalent to the original one and U-depth('Xfree (A 0 )) = lh(A 0 ). Theorem 4.7. Let ' 2 LTL(Um ; Xn ) be a formula. Then lh(A (')) m and Xh(A (')) n for each alphabet . Proof. Before we prove the inequalities, we examine the automaton A ('). Let q' be a state of A ('). States in Succ(q' ) are of the form 1. q U or q: U , where U is such a subformula of ' 0 that is not in a scope of directly from the definition of X-height; for every transition

(

)

(

)

0

0

)

(

any X operator, or 2.

q

or q: , where X is such a subformula of ' 0 that is not in a scope of any other

X operator. Let us note that some of the states can match both cases, e.g., a state

Succ(q(

U)_X( U) ).

q

U

2

Moreover, the definition of a transition function Æ implies that only

the states of the form q U or q:(

U )

can have a loop.

From the above observations and the definition of loop-height it directly follows that

lh(A(')) U-depth(') m. Let q' be a state of the automaton and Y Succ 0 (q' ) be a set of its successors of 0

0

the first form (excluding these of both forms). In order to prove the second inequality of the theorem, we show that for every transition q' construction of an automaton A

'

0

!a S the set XS

=

S \ Y is X-free. The Æ q ; a)

( ) implies that if a positive boolean formula ( '

contains a state q

0

2 Y then the state always occurs in the formula Æ(q U; a) = Æ(q ; a) _ (Æ(q ; a) ^ q U ): Similarly, if Æ(q' ; a) contains a state q: U 2 Y then the state always occurs in the U

0

formula

)

(

Æ(q U ; a)

=

Æ(q; a) ^ (Æ(q ; a) _ q:

(

14

:

U) )

We show that the each set XS defined above satisfies the conditions for X-freeness for all transitions q'

0

!a S.

q U 2 XS. The property of Æ(q' ; a) mentioned above gives us that there is a a set S 0 S such that S 0 j= Æ(q ; a) or S 0 j= Æ(q ; a) ^ q U . Anyway, q U ! S 0 . The argumentation for the case q: U 2 XS is similar.

1. Let

0

(

)

Y XS be such a set that for every q 2 Y there is a transition q !a Sq0 such that q 62 Sq0 . Thus if q is of the form q U , then Sq0 j= Æ(q ; a). Otherwise, q is of the form q: U and Sq0 j= Æ(q ; a) ^ Æ(q ; a). Again, the property of Æ(q' ; a) mentioned above (together with the fact that Æ(q' ; a) is in positive normal form) S implies that there is a set S 00 (S r Y ) [ q2Y Sq0 satisfying S 00 j= Æ(q' ; a).

2. Let

(

0

)

0

0

Proving the X-freeness of the considered sets we have demonstrated that the improved translation allows to omit the X operators in front of the subformulae corresponding to the successors of q' of the first form (and not of both forms). Let us recall 0

that these successors correspond to the subformulae of the form formula

' 0 that are never in a scope of any X operator in ' 0.

U of the original

Hence, the improved

translation with use of the Xfree function assigning the X-free sets defined above pro-

duces the formula 'Xfree (A (')) with at most the same X-depth as the original formula

'.

We are done as Xh(A (')) keeps the lowest X-depth achievable by the improved

translation and thus Xh(A (')) X-depth(') n.

Combining Theorem 4.6 and Theorem 4.7 we get the following two corollaries.

A = (; Q; q0; Æ; F) there exists a function Xfree such that lh(A) lh(A ('Xfree (A))) and Xh(A) Xh(A ('Xfree (A))).

Corollary 4.8. For each A1W automaton

Corollary 4.9. For each formula ' 2 LTL(Um ; Xn ) and each alphabet there exists a function Xfree such that 'Xfree (A (')) 2 LTL(Um ; Xn ).

5 Defining LTL fragments via A1W automata In this section we define classes of A1W automata matching fregments of the form

1

LTL(Um ; Xn ; Fk ), where m; n; k 2 N 0 [ f g, and LTL fragments from so-called Untilˇ Release hierarchy [CP03]. All these fragments are given by syntactical constraints on LTL formulae. Basically, the classes of A1W automata can be defined by constraints on transition function and by constraints on the set of accepting states. 15

In order to improve the presentation of the following results, we overload the nota-

tion of LTL fragments; we identify an LTL fragment F with a set

fL(') j ' 2 F and is an alphabetg; i.e., with a set of languages defined by formulae from the fragment. The interpretation of F is always clearly determined by the context.

5.1 Fragments given by bounds on nesting depths of modalities In order to identify classes of A1W automata matching all LTL fragments of the form LTL(Um ; Xn ; Fk ), we need to replace the bound on U-depth('Xfree (A)) given by the loopheight of

A by bounds on U-depth and F-depth of the formula.

Therefore we define

another metrics called U-height. The definition of U-height reflects the structure of 'p0 .

; Q; q0; Æ; F) be an A1W automaton. inductively define its U-height, written Uh(p), as

Definition 5.1. Let

A

= (

8> >< maxfUh q >>: maxfUh q

( )

j q 2 Succ 0 (p)g + 1

For each state

p 2 Q we

if p 2 Succ(p) and

p is neither of F-type nor of G-type; 0 ( ) j q 2 Succ (p)g otherwise; where maximum over empty set is 0. The U-height of the automaton A is then defined as the U-height of its initial state, i.e. Uh(A) = Uh(q0 ). Uh(p) =

We are now ready to define the classes of A1W automata matching LTL fragments

of the form LTL(Um ; Xn ; Fk ). To shorten our notation, a class is formally defined as a set of languages accepted by A1W automata rather than a set of A1W automata.

[ f1g. We define A1W(m; n; k) to be the set fL(A) j A is an A1W automaton and Uh(A) m; Xh(A) n; lh(A) m+kg. Definition 5.2. Let

m; n; k 2

N0

Lemma 5.3. For all m; n; k 2 N 0

[ f1g it holds LTL(Um; Xn; Fk) = A1W(m; n; k).

' 2 LTL(Um; Xn; Fk) and be an alphabet. Theorem 4.7 implies that Xh(A (')) n and lh(A (')) m + k. Further, every state of the automaton A (') corresponding to a subformula F has the form q>U or q: >U . One can readily check that each state q>U is of F-type and each state q: >U is of G-type. Hence, these states do not increase the U-height of the automaton. We get Uh(A (')) m and thus L (') 2 A1W(m; n; k). Proof. Let

(

(

16

)

)

Let

m + k.

A be an A1W automaton such that Uh(A) m,

Xh(A)

n,

and lh(A)

Theorem 4.6 says that the automaton can be translated into formula from

;

' ;X ;

LTL(Um+k Xn ). As the definition of U-height reflects the structure of formulae p0 given by the improved translation it is easy to check that Xfree ( ) LTL( Uh(A) n Flh(A) ).

'

A 2

U

Moreover, arbitrary occurrence of F operator can be replaced by U operator. Hence,

the automaton can be translated into a formula from LTL(Um ; Xn ; Flh(A)-m ). Hence,

L(A) 2 LTL(Um; Xn; Fk).

Let us emphasize that Lemma 5.3 covers some previously studied LTL fragments.

For example, languages defined by LTL(Uk ; X; F) fragment (fragments of this form constitute so-called Until hierarchy [TW96, EW00]) can be defined by A1W automata with

k and vice versa. In particular, a language can be expressed by a formula from the LTL(X; F) fragment (also called Restricted LTL [PP04]) if and only if it U-height at most

is recognized by an A1W automaton such that every state with a loop is of F-type or G-type.

5.2 Until-Release hierarchy ˇ Until-Release heirarchy of LTL formulae has been introduced in [CP03]. It is based on alternation depth of U and R operators. Therefore it is also called alternating hierarchy. The hierarchy has a strong connection to the hierarchy of temporal properties introduced by Manna and Pnueli [MP90, CMP92]. Moreover, the classes of alternating hierarchy reˇ flects the complexity of their verification problem (for more information see [CP03]). LTL Definition 5.4. The classes LTL i ; i of the Until-Release hierarchy are defined inductively.

LTL The classes LTL 0 and 0 are both identical to LTL(X).

LTL The class LTL i+1 is the least set containing i and closed under the application of operators

LTL The class LTL i+1 is the least set containing i and closed under the application of operators

^; _; X; and U. ^; _; X; and R.

Let us note that the hierarchy collapses on third level with respect to its expressive power. More precisely, each language is definable by LTL if and only if it is definable by LTL a positive boolean combination of LTL 2 and 2 formulae. These formulae are contained

17

LTL in LTL 3 as well as in 3 . Again, we identify a fragment from the alternating hierarchy

with the set of languages defined by formulae of the fragment. The hierarchy does not care about X operators as well as the different expressiveness of F and U operators. Therefore we employ the standard translations given in Section 3. Intuitively, we show that alternation of U and R operators in a formula corresponds to the alternation of nonaccepting and accepting states in the structure of an A1W automaton. Definition 5.5. Let A = (; Q; q0 ; Æ; F) be an A1W automaton. For each i 2 N 0 we inductively define sets of states i and i as follows.

0 = 0 = fp j lh(p) = 0g. i

1 is the smallest set of states satisfying

+

– –

i

+

i [ i i 1 and if p 62 F and Succ 0 (p) i +

p 2 i

1 then

+

1,

+


– –

i [ i i 1 and if p 2 F and Succ 0 (p) i +

p 2 i

1 then

+

We also define functions A ; A

:

Q

1.

+

! N 0 as

A (p) = minfi j p 2 ig

and

A(p) = minfi j p 2 ig:

Definition 5.6. For each i 2 N 0 we define sets A1W and A1W as i i

A1W i A1W i

= =

fL(A) j A = (; Q; q0; Æ; F) is an A1W automaton and A (q0) ig; fL(A) j A = (; Q; q0; Æ; F) is an A1W automaton and A(q0) ig:

Theorem 5.7. For each i 2 N 0 it holds that LTL i

=

A1W . A1W and LTL i i = i

Before we give a proof of this statement, we present some auxiliary results. Definition 5.8. Let A = (; Q; q0 ; Æ; F) be an A1W automaton. For each i 2 N 0 we inductively define sets of states i0 and i0 as follows.

00 = 00 = fp j lh(p) = 0g. i0


+

18

– –

i

+

i0 [ i0 i0 1 and if p has no loop or p 62 F, and Succ 0 (p) i0 +

1 then

p 2 i0

1.

1 then

p 2 i0

1.

+

+


– –

i0 [ i0 i0 1 and if p has no loop or p 2 F, and Succ 0 (p) i0 +

+

We also define functions A0 ; A0

:

Q

! N 0 as

A0 (p) = minfi j p 2 i0g

and

+

A0 (p) = minfi j p 2 i0g:

Lemma 5.9. For every A1W automaton A with an initial state q0 there exists an A1W automaton B with an initial state q00 such that L(A) = L(B) and A0 (q0 ) = B (q00 ).

Proof. On intuitive level, i counts the maximal alternation of nonaccepting and accept-

ing states of the automaton, while i0 counts just the alternation of nonaccepting and accepting states with a loop. Hence, we need to modify an automaton A is such a way that the states without any loop do not increase the number of alternations of nonaccepting and accepting states. To do this, we make an accepting and a nonaccepting copy of each state without any loop and we modify transition function such that every state without any loop in every transition is be replaced by one of its two copies. As acceptance or nonacceptance of states without any loop has no influence on language given by the automaton, the modified automaton accepts the same language as the original one.

; Q; q0; Æ; F) be an A1W automaton. Let W denote the set of its states without any loop. We set B = (; Q 0 ; q00 ; Æ 0 ; F 0 ), where Let

A

= (

Q 0 = (Q r W ) [ fqa; qn j q 2 W g, q00 = q0 if q0 has a loop; q00 = qn0 otherwise, and F 0 = (F r W ) [ fqa j q 2 W g. For every p 2 Q 0 , by o(p) we denote a state of the original system corresponding to the

state p:

o(p) =

8< q :p

if p = qa or p = qn otherwise

19

For every p 2 Q 0 and a 2 , the positive boolean formula Æ 0 (p; a) arises from Æ 0 (o(p); a) by replacement of every state q 2 W with qa if p 2 F 0 and with qn otherwise. It remains to show that A0 (q0 )

B (q00 ). From the construction of the automaton B it follows that B0 (p) = A0 (o(p)) for every p 2 Q 0 . As o(q00 ) = q0 , it is sufficient to show that B0 (q00 ) = B (q00 ). If lh(q00 ) = 0, then we are done as B0 (q00 ) = 0 = B (q00 ). In the rest of the proof we show that the equation holds for lh(q00 ) > 0 as well. For each state p 2 Q 0 we define Succ (p) to be a transitive closure of Succ 0 relation, i.e., Succ (p) is the smallest set satisfying Succ 0(p) Succ (p) and =

+

+

+

if q 2 Succ (p) then Succ 0(q) Succ (p). Further, by LSucc (p) we denote the set of all states with a loop that are in Succ (p). From the construction of the automaton B it follows that for every state p 2 Q0 such that lh(p) > 0 the following equations hold. Again, maximum over empty set is 0. 8< maxfB (q) j q 2 LSucc (p) \ F 0 g + 1 if p 62 F 0 B (p) = : B(p) + 1 if p 2 F 0 8< B (p) + 1 if p 62 F 0 B (p) = : maxfB (q) j q 2 LSucc (p) r F 0 g + 1 if p 2 F 0 If we replace in the above equations the function B with B0 and the function B with B0 , the resulting equations hold for each state p with a loop. Hence, we get that for every state p 2 Q 0 with a loop it holds that B0 (p) = B (p) and B0 (p) = B (p). In particular, if q00 has a loop then B0 (q00 ) = B(q00 ). Let us note that if q00 has no loop then it is a nonaccepting state. Further, one can prove that if lh(q00 ) > 0, q00 has no loop, and LSucc (q00 ) \F 0 = ; then B0 (q00 ) = 1 = B (q00 ). Finally, let us assume that lh(q00 ) > 0, q00 has no loop, and LSucc (q00 ) \ F 0 = 6 ;. As q00 62 F 0, then +

+

+

+

+

+

+

+

B0 (q00 )

= =

= = =

maxfB0 (q) j q 2 LSucc+ (q00 )g maxfB (q) j q 2 LSucc+ (q00 )g

maxfB (q) j q 2 LSucc+ (q00 ) \ F 0 g

maxfB (q) + 1 j q 2 LSucc+ (q00 ) \ F 0 g maxfB (q) j q 2 LSucc+ (q00 ) \ F 0 g + 1

B (q00 );

(1) (2) (3) (4) (5) (6)

20

where (1) follows from the definition of B0 , (2) is due to the fact that for states with a loop the functions B0 and B coincide, and the equation B (q) = B (q) + 1 valid for all q

2 F 0 gives us (4). To sum up, B0 (q00 ) B (q00 ). We are done as it is easy to see that B0 (p) B(p) holds for each state p of an arbitrary A1W automaton B.

By analogy, for an A1W automaton A with initial state q0 one can construct an equiv-

alent A1W automaton B with an initial state q00 such that A0 (q0 ) = B (q00 ). Now we are ready to prove Theorem 5.7.

of Theorem 5.7. We focus on the former equation as proof of the latter one is analogous. A1W , we show that for every alphabet and In order to prove the inclusion LTL i i a formula ' 2 LTL i the automaton A = A (') given by standard LTL A1W translation

satisfies A (q' ) 0

!

i, where q' is an initial state of the automaton. This is sufficient due

to Lemma 5.9. Please note that operators U and R are not in scope of any negation in

'.

Hence,

A(') can be divided into three kinds according to the corresponding subformula of '. the states of the automaton

1. A subformula of the form X( U ) or

q

U

U is translated into a state q U satisfying

62 F.

2. A formula

R is seen as an abbreviation for :(: U :). Hence, a subformula

of the form X( R ) or

R is translated into a state q:(:

U:)

2 F.

3. A subformula of the form X that is not covered by the previous cases is translated into a state q such that q

62 F and q

has no loop.

To sum up, states corresponding to U operator are not accepting while the states corresponding to R operator are accepting. Moreover, these states are the only states that can have a loop. Using this observation it is easy to see that each subformula 0 2 LTL j =) A (q ) j

and

of ' satisfies

0 2 LTL j =) A (q ) j:

In particular, A0 (q' ) i. To prove the inclusion LTL i

we assume that A is an A1W automaton with an A1W i initial state q0 satisfying A (q0 ) i. We show that the formula '(A) given by the standard A1W!LTL translation can be equivalently expressed by a formula from LTL A q0 . (

21

)

U ) ^ G and ((X ) R ) _ are equivalent for all subformulae ; . Therefore, for each state p of the automaton A the formula 'p can be equivalently given as follows. Here we employ the fact that the formulae

'p =

8< p U p : X p R p ((

)

(

if p 62 F )

_ p

if p 2 F

This modified construction produces a formula that is equivalent to '(A). Moreover, U operators correspond to nonaccepting states while R operators correspond to accepting ones. Hence, the alternation of nonaccepting and accepting states in the automaton correspond to the alternation of U and R operators in the resulting formula. In other words, the formula is in LTL A (q0 ) .

6 Summary and future work We have improved a translation of A1W automata into LTL formulae that are language equivalent. The improvement allows us to define classes of A1W automata corresponding to some LTL fragments given by bounds on nesting depths of temporal operators. Further, we provide an automata-based definition of classes in Until-Release hierarˇ chy [CP03]. It is worth mentioning that using given automata-based definitions of the

classes LTL(Um ; Xn ) and LTL(U ; Xn ) one can prove some pumping lemmata similar to general stuttering and n-stuttering principles [KS02].

Beside the presented results our research brought several topics for future work. The most interesting topics follows. The conditions of X-freeness. The original A1W

!LTL translation has the property

'p corresponding to the state p contains a subformula X'q for every successor q of p. Definition 4.1 presents conditions for X-freeness of a set of successors.

that a formula

Roughly speaking, if a set of successors satisfies the conditions then we can omit X operators in front 'q for every q from the set and the translation remains correct.

The question is whether there are some more general and/or simpler conditions with the same effect. For example, we have no counterexample showing that the improved translation produces incorrect results when we set Xfree(p all states q 2 S r fpg satisfying 1. there is S 0

S such taht q !a S 0, and 22

!a S

)

to be a set of

2. if q

!a S and q 62 S then there exists S 0

0

00

(S r fqg) [ S 0 satisfying p !a S 00.

Unfortunately, we have no proof of correctness of the translation for this Xfree function. Succintness of A1W automata. Let us consider a formula ' with a more than one copy of a subformula

, e.g. '

=(

a_X

b ^ XX

)U(

).

All copies of the subformula corre-

spond to one state q of the automaton produced by LTL

!A1W translation. Therefore

we suppose (but we have no proof yet) that an A1W automaton can be exponentially more succint than arbitrary corresponding LTL formula in some cases. Expressiveness of AkW and connection to LTL extensions.

In Section 2 we have de-

fined alternating automata and alternating 1-weak atomata. An alternating automaton is called weak if the set of states

Q can be partitioned into disjoint sets Q1; Q2; : : :; Qn

such that

if q 2 Succ(p), q 2 Qi, and p 2 Qj then i j, and Qi \ F = ; or Qi F for every 0 < i n, where F is a set of accepting states. The automaton is called k-weak if jQi j k for every 0 < i n. General alternating weak automata recognize all !-regular languages, whereas alternating 1-weak automata recognize all LTL definable languages (star-free !-regular languages). The definition of alternating k-weak automata (or AkW automata for short) brings several interesting questions:

What is the expressive power of AkW automata?

Is the hierarchy of classes of AkW automata expressively strict?

For each k, is there any natural extension LTLk of LTL such that AkW automata define the same languages as LTLk ?

References [CMP92] Edward Chang, Zohar Manna, and Amir Pnueli. Characterization of temporal property classes. In Werner Kuich, editor, Automata, Languages and Programming, 19th International Colloquium (ICALP ’92), volume 623 of Lecture Notes in Computer Science, pages 474–486. Springer-Verlag, 1992. 23

ˇ [CP03]

ˇ Ivana Cerná and Radek Pelánek. Relating hierarchy of temporal properties to model checking. In Mathematical Foundations of Computer Science (MFCS), volume 2747 of Lecture Notes in Computer Science. Springer, 2003.

[DS98]

Stéphane Demri and Philippe Schnoebelen. The complexity of propositional linear temporal logics in simple cases (extended abstract). In Proc. 15th Ann. Symp. Theoretical Aspects of Computer Science (STACS’98), volume 1373, pages 61–72. Springer, 1998.

[EW00]

Kousha Etessami and Thomas Wilke. An until hierarchy and other applications of an Ehrenfeucht-Fraïssé game for temporal logic. Information and Computation, 160:88–108, 2000.

[GO01]

Paul Gastin and Denis Oddoux. Fast LTL to Büchi automata translation. In G. Berry, H. Comon, and A. Finkel, editors, Proceedings of the 13th Conference on Computer Aided Verification (CAV’01), volume 2102 of Lecture Notes in Computer Science, pages 53–65. Springer, 2001.

[God96] Patrice Godefroid. Partial-order methods for the verification of concurrent systems: an approach to the state-explosion problem, volume 1032 of Lecture Notes in Computer Science. Springer-Verlag Inc., 1996. [HP95]

Gerard Holzmann and Doron Peled. Partial order reduction of the state space. In First SPIN Workshop, Montrèal, Quebec, 1995. A position paper.

[KS02]

Antonín Kuˇcera and Jan Strejˇcek. The stuttering principle revisited: On the expressiveness of nested X and U operators in the logic LTL. In Julian Bradfield, editor, CSL ’02: 11th Annual Conference of the European Association for Computer Science Logic, volume 2471 of Lecture Notes in Computer Science, pages 276–291. Springer-Verlag, 2002.

[Lam83] Leslie Lamport. What good is temporal logic?

In R. E. A. Mason, editor,

Proceedings of the IFIP Congress on Information Processing, pages 657–667, Amsterdam, 1983. North-Holland. [LT00]

Christof Löding and Wolfgang Thomas. Alternating automata and logics over infinite words (extended abstract). In J. van Leeuwen et al., editors, Theoretical computer science: exploring new frontiers of theoretical informatics: International 24

Conference IFIP TCS 2000, volume 1872 of Lecture Notes in Computer Science, pages 521–535. Springer-Verlag, 2000. [MP90]

Zohar Manna and Amir Pnueli. A hierarchy of temporal properties. In Proc. ACM Symposium on Principles of Distributed Computing, pages 377–410. ACM Press, 1990.

[MSS88] David E. Muller, Ahmed Saoudi, and Paul E. Schupp. Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time. In Proceedings of the 3rd IEEE Symposium on Logic in Computer Science (LICS 1988), pages 422–427. IEEE Computer Society Press, 1988. [Pel98]

Doron Peled. Ten years of partial order reduction. In Alan J. Hu and Moshe Y. Vardi, editors, Proceedings of the 10th International Conference on Computer Aided Verification, volume 1427 of Lecture Notes in Computer Science, pages 17–28. Springer, 1998.

[Pnu77] Amir Pnueli. The temporal logic of programs. In Proceedings of the 18th IEEE Symposium on the Foundations of Computer Science, pages 46–57. IEEE Computer Society Press, 1977. [PP04]

Dominique Perrin and Jean-Eric Pin. Infinite words, volume 141 of Pure and Applied Mathematics. Elsevier, 2004.

[Roh97] Scott Rohde. Alternating automata and the temporal logic of ordinals. PhD thesis, University of Illinois at Urbana-Champaign, 1997. [Sch03]

Philippe Schnoebelen. The complexity of temporal logic model checking. In Advances in Modal Logic, vol. 4, selected papers from 4th Conf. Advances in Modal Logic (AiML’2002), pages 437–459. King’s College Publication, 2003.

[Tau03]

Heikki Tauriainen. On translating linear temporal logic into alternating and nondeterministic automata.

Research Report A83, Helsinki University of

Technology, Laboratory for Theoretical Computer Science, 2003. [TW96]

Denis Thérien and Thomas Wilke. Temporal logic and semidirect products: An effective characterization of the until hierarchy. In 37th Annual Symposium on Foundations of Computer Science (FOCS ’96), pages 256–263. IEEE, 1996. 25

[TW04]

Denis Thérien and Thomas Wilke. Nesting Until and Since in linear temporal logic. Theory of Computing Systems, 37(1):111–131, 2004.

[Val91]

Antti Valmari. A stubborn attack on state explosion. In Edmund M. Clarke and Robert P. Kurshan, editors, Proceedings of Computer-Aided Verification (CAV ’90), volume 531 of Lecture Notes in Computer Science, pages 156–165. Springer, 1991.

[Var97]

Moshe Y. Vardi. Alternating automata: Unifying truth and validity checking for temporal logics. In William McCune, editor, Proceedings of the 14th International Conference on Automated Deduction, volume 1249 of LNAI, pages 191–206. Springer, 1997.

[VW86]

Moshe Y. Vardi and Pierre Wolper. An automata-theoretic approach to automatic program verification. In Proceedings of the First Symposium on Logic in Computer Science, pages 322–331, Cambridge, June 1986.

[VW94]

Moshe Y. Vardi and Pierre Wolper. Reasoning about infinite computations. Information and Computation, 115(1):1–37, 1994.

[Wil99]

Thomas Wilke. Classifying discrete temporal properties. In Chr. Meinel and S. Tison, editors, STACS ’99: Annual Symposium on Theoretical Aspects of Computer Science, volume 1563 of Lecture Notes in Computer Science, pages 32–46. Springer-Verlag, 1999.

[Wol83] Pierre Wolper. Temporal logic can be more expressive. Information and Control, 56:72–99, 1983. [WVS83] Pierre Wolper, Moshe Y. Vardi, and A. Prasad Sistla. Reasoning about infinite computation paths (extended abstract). In 24th Annual Symposium on Foundations of Computer Science, pages 185–194. IEEE, 1983.

26